melp.nl

< Return to main page

Using a .pfx to install an SSL certificate

Got a .pfx file and need to install an SSL certificate with this? Here's how I did it. You'll need to extract the signed public certificate (public key) and the private key without passphrase.

#!shell
cd /etc/nginx/
mkdir ssl
cd ssl
mv /path/to/pfx/file.pfx .
chmod 400 file.fpx

First extract the public certificate. You might be asked for a password.

#!shell
openssl pkcs12 -in ./file.pfx -clcerts -nokeys -out public.crt

And extract the private key:

#!shell
openssl pkcs12 -in ./file.pfx -nocerts -nodes -out private.rsa

Now you can test the server on an arbitrary port, using openssl:

#!shell
openssl s_server -www -accept 443 -cert ./public.crt -key ./private.rsa

Make sure no one can read the files other than you:

#!shell
chmod 400 /etc/nginx/ssl/*

With NginX it is now easy to fire up the server. I used a proxy for this, because from an architecture perspective, this is the easiest:

server {
    server_name example.org;

    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/public.crt;
    ssl_certificate_key /etc/nginx/ssl/private.rsa;

    location / {
        proxy_pass http://example.org/;
        proxy_set_header Host $host;
        proxy_set_header X-Ssl on;
    }
}

I pass an additional X-Ssl header to the backend so they know we're publicly serving through the SSL proxy (e.g. for building absolute URL's). Once you actually know how to do it, it is easy as pie.

With thanks to Yadab Das and Berk D. Demir


< Return to main page


You're looking at a very minimalistic archived version of this website. I wish to preserve to content, but I no longer wish to maintain Wordpress, nor handle the abuse that comes with that.